MantisBT
Mantis Bug Tracker Workflow

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0030993Open CASCADE[OCCT] OCCT:Modeling Algorithmspublic2019-09-24 08:322019-10-23 11:51
Reporterabv 
Assigned Toabv 
PrioritynormalSeverityminor 
StatusverifiedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version[OCCT] 7.5.0*Fixed in Version 
Summary0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()
DescriptionWhen running OCCT built on Linux with Clang with option -fsanitize=address, error heap-use-after-free is reported on test feat featrf A1:

featperform rf result
=================================================================
==18220==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000d5348 at pc 0x7f6c72f1527e bp 0x7ffea1ac7660 sp 0x7ffea1ac7658

READ of size 8 at 0x6030000d5348 thread T0
    #0 0x7f6c72f1527d in opencascade::handle::get() const /home/abv/occt/src/Standard/Standard_Handle.hxx:127:51
    0000001 0x7f6c72f15239 in bool opencascade::handle::operator==(opencascade::handle const&) const /home/abv/occt/src/Standard/Standard_Handle.hxx:139:33
    0000002 0x7f6c72f151f1 in TopoDS_Shape::IsSame(TopoDS_Shape const&) const /home/abv/occt/src/TopoDS/TopoDS_Shape.hxx:240:23
    #3 0x7f6c63c5e834 in BRepFeat_MakeRevolutionForm::Perform() /home/abv/occt/src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx:1055:19
    #4 0x7f6c64f2e0af in PERF(Draw_Interpretor&, int, char const**) /home/abv/occt/src/BRepTest/BRepTest_FeatureCommands.cxx:1891:8
    #5 0x7f6c72ed7349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #6 0x7f6c72ee4b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000007 0x7f6c6d274b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)
    0000008 0x7f6c6d276fa6 in TclNRRunCallbacks (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x3afa6)
    0000009 0x7f6c6d31587a in Tcl_RecordAndEvalObj (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd987a)
    #10 0x7f6c6d315756 in Tcl_RecordAndEval (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd9756)
    0000011 0x7f6c72ee60bf in Draw_Interpretor::RecordAndEval(char const*, int) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:496:10
    #12 0x7f6c72eccdad in Draw_Interprete(char const*) /home/abv/occt/src/Draw/Draw.cxx:608:19
    0000013 0x7f6c72ecdb90 in interpreteTclCommand(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:110:5
    0000014 0x7f6c72ecb37b in ReadInitFile(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:121:3
    0000015 0x7f6c72eca973 in Draw_Appli(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw.cxx:497:5
    0000016 0x7f6c72ee7328 in Draw_Main(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw_Main.cxx:113:3
    0000017 0x51aaef in main /home/abv/occt/src/DRAWEXE/DRAWEXE.cxx:33:1
    0000018 0x7f6c6bca082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    0000019 0x41aac8 in _start (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x41aac8)

0x6030000d5348 is located 8 bytes inside of 32-byte region [0x6030000d5340,0x6030000d5360)
freed by thread T0 here:
    #0 0x4deb18 in __interceptor_cfree.localalias.0 (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4deb18)
    0000001 0x7f6c6e83d6db in Standard_MMgrRaw::Free(void*) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:55:3
    0000002 0x7f6c6e83380c in Standard::Free(void*) /home/abv/occt/src/Standard/Standard.cxx:250:36
    #3 0x7f6c6e892b20 in NCollection_BaseAllocator::Free(void*) /home/abv/occt/src/NCollection/NCollection_BaseAllocator.cxx:46:18
    #4 0x7f6c72f146ec in NCollection_TListNode::delNode(NCollection_ListNode*, opencascade::handle&) /home/abv/occt/src/NCollection/NCollection_TListNode.hxx:43:12
    #5 0x7f6c6e896bc3 in NCollection_BaseList::PClear(void (*)(NCollection_ListNode*, opencascade::handle&)) /home/abv/occt/src/NCollection/NCollection_BaseList.cxx:32:5
    #6 0x7f6c72f14678 in NCollection_List::Clear(opencascade::handle const&) /home/abv/occt/src/NCollection/NCollection_List.hxx:98:5
    0000007 0x7f6c63c5e881 in BRepFeat_MakeRevolutionForm::Perform() /home/abv/occt/src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx:1056:24
    0000008 0x7f6c64f2e0af in PERF(Draw_Interpretor&, int, char const**) /home/abv/occt/src/BRepTest/BRepTest_FeatureCommands.cxx:1891:8
    0000009 0x7f6c72ed7349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #10 0x7f6c72ee4b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000011 0x7f6c6d274b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

previously allocated by thread T0 here:
    #0 0x4deef0 in calloc (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4deef0)
    0000001 0x7f6c6e83d658 in Standard_MMgrRaw::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:41:39
    0000002 0x7f6c6e8337ac in Standard::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard.cxx:240:43
    #3 0x7f6c6e892b0b in NCollection_BaseAllocator::Allocate(unsigned long) /home/abv/occt/src/NCollection/NCollection_BaseAllocator.cxx:36:10
    #4 0x7f6c72ecff6f in NCollection_ListNode::operator new(unsigned long, opencascade::handle const&) /home/abv/occt/src/NCollection/NCollection_ListNode.hxx:30:3
    #5 0x7f6c724db6e1 in NCollection_List::Append(TopoDS_Shape const&) /home/abv/occt/src/NCollection/NCollection_List.hxx:134:23
    #6 0x7f6c63c5526a in BRepFeat_MakeRevolutionForm::Init(TopoDS_Shape const&, TopoDS_Wire const&, opencascade::handle const&, gp_Ax1 const&, double, double, int, bool&) /home/abv/occt/src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx:568:13
    0000007 0x7f6c64f2bfc0 in DEFIN(Draw_Interpretor&, int, char const**) /home/abv/occt/src/BRepTest/BRepTest_FeatureCommands.cxx:1612:13
    0000008 0x7f6c72ed7349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    0000009 0x7f6c72ee4b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    #10 0x7f6c6d274b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

SUMMARY: AddressSanitizer: heap-use-after-free /home/abv/occt/src/Standard/Standard_Handle.hxx:127:51 in opencascade::handle::get() const
Shadow bytes around the buggy address:
  0x0c0680012a10: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680012a20: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680012a30: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680012a40: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c0680012a50: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
=>0x0c0680012a60: fa fa 00 00 00 00 fa fa fd[fd]fd fd fa fa 00 00
  0x0c0680012a70: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c0680012a80: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c0680012a90: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
  0x0c0680012aa0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680012ab0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==18220==ABORTING
Steps To ReproduceBuild on Linux with CLang with -fsanitize=address, then run test feat featrf A1 (or any other in this grid)
TagsNo tags attached.
Test case numberNot required
Attached Files

- Relationships
child of 0030557newkgv Coding - eliminate errors reported by -fsanitize 

-  Notes
(0087459)
git (administrator)
2019-09-24 08:35

Branch CR30993 has been created by abv.

SHA-1: e8b2b3e04a99889c5a76ffe3a5aa149116199be8


Detailed log of new commits:

Author: abv
Date: Tue Sep 24 08:32:09 2019 +0300

    0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()
    
    Use of reference to object removed from the list after that removal is avoided
(0087470)
abv (manager)
2019-09-24 12:51

Fix pushed to branch CR30993, please review. Tests passed in Jenkins job CR30993-abv; please ignore failure reported on Products - it is due to another issue (#30994).
(0087484)
msv (developer)
2019-09-24 15:27

Reviewed.
(0087492)
bugmaster (administrator)
2019-09-24 17:40

Combination -
OCCT branch : CR30993
master SHA - e8b2b3e04a99889c5a76ffe3a5aa149116199be8
5f5b1aed1c6e139bbd34314eca77ae7abcd8895c
Products branch : master SHA - cede13b0d79b1c3448ecd68f0db85c2a087762ad
was compiled on Linux, MacOS and Windows platforms and tested in optimize mode.

Number of compiler warnings:
No new/fixed warnings

Regressions/Differences/Improvements:
No regressions/differences

CPU differences:
Debian80-64:
OCCT
Total CPU difference: 16839.580000000045 / 16808.79000000008 [+0.18%]
Products
Total CPU difference: 10564.140000000027 / 10568.68000000004 [-0.04%]
Windows-64-VC14:
OCCT
Total CPU difference: 18266.03125 / 18298.78125 [-0.18%]
Products
Total CPU difference: 12516.46875 / 12507.671875 [+0.07%]


Image differences :
No differences that require special attention

Memory differences :
No differences that require special attention
(0087882)
abv (manager)
2019-10-06 08:37

The fix is incomplete: sanitizer still reports similar errors in the same method
(0087893)
git (administrator)
2019-10-06 23:50

Branch CR30993_1 has been created by abv.

SHA-1: 20f7a8bb8b835d5c033a9c3f24a86021da45aa08


Detailed log of new commits:

Author: abv
Date: Tue Sep 24 08:32:09 2019 +0300

    0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()
    
    Use of reference to object removed from the list after that removal is avoided
(0087900)
abv (manager)
2019-10-07 13:45

Completed fix is pushed to CR30993_1 (on top of the branch with other sanitizing fixes) and tested, see Jenkins job CR30993-abv. Please review again
(0087949)
msv (developer)
2019-10-08 17:11

Reviewed.
(0088467)
git (administrator)
2019-10-23 11:51

Branch CR30993 has been deleted by kgv.

SHA-1: e8b2b3e04a99889c5a76ffe3a5aa149116199be8
(0088468)
git (administrator)
2019-10-23 11:51

Branch CR30993_1 has been deleted by kgv.

SHA-1: 20f7a8bb8b835d5c033a9c3f24a86021da45aa08

- Related Changesets
occt: master c275673d
Timestamp: 2019-09-24 05:32:09
Author: abv
Committer: abv
Details ] Diff ]
0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()

Use of reference to object removed from the list after that removal is avoided
mod - src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx Diff ] File ]

- Issue History
Date Modified Username Field Change
2019-09-24 08:32 abv New Issue
2019-09-24 08:32 abv Assigned To => msv
2019-09-24 08:32 abv Relationship added child of 0030557
2019-09-24 08:35 git Note Added: 0087459
2019-09-24 12:51 abv Note Added: 0087470
2019-09-24 12:51 abv Status new => resolved
2019-09-24 12:51 abv Target Version 7.5.0* => 7.4.0
2019-09-24 15:27 msv Note Added: 0087484
2019-09-24 15:27 msv Assigned To msv => bugmaster
2019-09-24 15:27 msv Status resolved => reviewed
2019-09-24 17:40 bugmaster Test case number => Not required
2019-09-24 17:40 bugmaster Note Added: 0087492
2019-09-24 17:40 bugmaster Status reviewed => tested
2019-09-29 12:29 bugmaster Target Version 7.4.0 => 7.5.0*
2019-10-06 08:37 abv Note Added: 0087882
2019-10-06 08:37 abv Assigned To bugmaster => abv
2019-10-06 08:37 abv Status tested => assigned
2019-10-06 23:50 git Note Added: 0087893
2019-10-07 13:45 abv Note Added: 0087900
2019-10-07 13:45 abv Assigned To abv => msv
2019-10-07 13:45 abv Status assigned => resolved
2019-10-07 13:45 abv Steps to Reproduce Updated View Revisions
2019-10-08 17:11 msv Note Added: 0087949
2019-10-08 17:11 msv Assigned To msv => bugmaster
2019-10-08 17:11 msv Status resolved => reviewed
2019-10-23 01:07 abv Changeset attached => occt master c275673d
2019-10-23 01:07 abv Assigned To bugmaster => abv
2019-10-23 01:07 abv Status reviewed => verified
2019-10-23 01:07 abv Resolution open => fixed
2019-10-23 11:51 git Note Added: 0088467
2019-10-23 11:51 git Note Added: 0088468


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker