View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0030993Open CASCADEOCCT:Modeling Algorithmspublic2019-09-24 08:322020-12-02 17:12
ReporterabvAssigned Toabv 
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Target Version7.5.0Fixed in Version7.5.0 
Summary0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()
DescriptionWhen running OCCT built on Linux with Clang with option -fsanitize=address, error heap-use-after-free is reported on test feat featrf A1:

featperform rf result
=================================================================
==18220==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000d5348 at pc 0x7f6c72f1527e bp 0x7ffea1ac7660 sp 0x7ffea1ac7658

READ of size 8 at 0x6030000d5348 thread T0
    #0 0x7f6c72f1527d in opencascade::handle::get() const /home/abv/occt/src/Standard/Standard_Handle.hxx:127:51
    0000001 0x7f6c72f15239 in bool opencascade::handle::operator==(opencascade::handle const&) const /home/abv/occt/src/Standard/Standard_Handle.hxx:139:33
    0000002 0x7f6c72f151f1 in TopoDS_Shape::IsSame(TopoDS_Shape const&) const /home/abv/occt/src/TopoDS/TopoDS_Shape.hxx:240:23
    #3 0x7f6c63c5e834 in BRepFeat_MakeRevolutionForm::Perform() /home/abv/occt/src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx:1055:19
    #4 0x7f6c64f2e0af in PERF(Draw_Interpretor&, int, char const**) /home/abv/occt/src/BRepTest/BRepTest_FeatureCommands.cxx:1891:8
    #5 0x7f6c72ed7349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #6 0x7f6c72ee4b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000007 0x7f6c6d274b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)
    0000008 0x7f6c6d276fa6 in TclNRRunCallbacks (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x3afa6)
    0000009 0x7f6c6d31587a in Tcl_RecordAndEvalObj (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd987a)
    #10 0x7f6c6d315756 in Tcl_RecordAndEval (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd9756)
    0000011 0x7f6c72ee60bf in Draw_Interpretor::RecordAndEval(char const*, int) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:496:10
    #12 0x7f6c72eccdad in Draw_Interprete(char const*) /home/abv/occt/src/Draw/Draw.cxx:608:19
    0000013 0x7f6c72ecdb90 in interpreteTclCommand(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:110:5
    0000014 0x7f6c72ecb37b in ReadInitFile(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:121:3
    0000015 0x7f6c72eca973 in Draw_Appli(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw.cxx:497:5
    0000016 0x7f6c72ee7328 in Draw_Main(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw_Main.cxx:113:3
    0000017 0x51aaef in main /home/abv/occt/src/DRAWEXE/DRAWEXE.cxx:33:1
    0000018 0x7f6c6bca082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    0000019 0x41aac8 in _start (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x41aac8)

0x6030000d5348 is located 8 bytes inside of 32-byte region [0x6030000d5340,0x6030000d5360)
freed by thread T0 here:
    #0 0x4deb18 in __interceptor_cfree.localalias.0 (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4deb18)
    0000001 0x7f6c6e83d6db in Standard_MMgrRaw::Free(void*) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:55:3
    0000002 0x7f6c6e83380c in Standard::Free(void*) /home/abv/occt/src/Standard/Standard.cxx:250:36
    #3 0x7f6c6e892b20 in NCollection_BaseAllocator::Free(void*) /home/abv/occt/src/NCollection/NCollection_BaseAllocator.cxx:46:18
    #4 0x7f6c72f146ec in NCollection_TListNode::delNode(NCollection_ListNode*, opencascade::handle&) /home/abv/occt/src/NCollection/NCollection_TListNode.hxx:43:12
    #5 0x7f6c6e896bc3 in NCollection_BaseList::PClear(void (*)(NCollection_ListNode*, opencascade::handle&)) /home/abv/occt/src/NCollection/NCollection_BaseList.cxx:32:5
    #6 0x7f6c72f14678 in NCollection_List::Clear(opencascade::handle const&) /home/abv/occt/src/NCollection/NCollection_List.hxx:98:5
    0000007 0x7f6c63c5e881 in BRepFeat_MakeRevolutionForm::Perform() /home/abv/occt/src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx:1056:24
    0000008 0x7f6c64f2e0af in PERF(Draw_Interpretor&, int, char const**) /home/abv/occt/src/BRepTest/BRepTest_FeatureCommands.cxx:1891:8
    0000009 0x7f6c72ed7349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #10 0x7f6c72ee4b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000011 0x7f6c6d274b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

previously allocated by thread T0 here:
    #0 0x4deef0 in calloc (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4deef0)
    0000001 0x7f6c6e83d658 in Standard_MMgrRaw::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:41:39
    0000002 0x7f6c6e8337ac in Standard::Allocate(unsigned long) /home/abv/occt/src/Standard/Standard.cxx:240:43
    #3 0x7f6c6e892b0b in NCollection_BaseAllocator::Allocate(unsigned long) /home/abv/occt/src/NCollection/NCollection_BaseAllocator.cxx:36:10
    #4 0x7f6c72ecff6f in NCollection_ListNode::operator new(unsigned long, opencascade::handle const&) /home/abv/occt/src/NCollection/NCollection_ListNode.hxx:30:3
    #5 0x7f6c724db6e1 in NCollection_List::Append(TopoDS_Shape const&) /home/abv/occt/src/NCollection/NCollection_List.hxx:134:23
    #6 0x7f6c63c5526a in BRepFeat_MakeRevolutionForm::Init(TopoDS_Shape const&, TopoDS_Wire const&, opencascade::handle const&, gp_Ax1 const&, double, double, int, bool&) /home/abv/occt/src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx:568:13
    0000007 0x7f6c64f2bfc0 in DEFIN(Draw_Interpretor&, int, char const**) /home/abv/occt/src/BRepTest/BRepTest_FeatureCommands.cxx:1612:13
    0000008 0x7f6c72ed7349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    0000009 0x7f6c72ee4b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    #10 0x7f6c6d274b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

SUMMARY: AddressSanitizer: heap-use-after-free /home/abv/occt/src/Standard/Standard_Handle.hxx:127:51 in opencascade::handle::get() const
Shadow bytes around the buggy address:
  0x0c0680012a10: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680012a20: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680012a30: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680012a40: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c0680012a50: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00
=>0x0c0680012a60: fa fa 00 00 00 00 fa fa fd[fd]fd fd fa fa 00 00
  0x0c0680012a70: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c0680012a80: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c0680012a90: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
  0x0c0680012aa0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680012ab0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==18220==ABORTING
Steps To ReproduceBuild on Linux with CLang with -fsanitize=address, then run test feat featrf A1 (or any other in this grid)
TagsNo tags attached.
Test case numberNot required

Relationships

child of 0030557 newdpasukhi Coding - eliminate errors reported by -fsanitize 

Activities

git

2019-09-24 08:35

administrator   ~0087459

Branch CR30993 has been created by abv.

SHA-1: e8b2b3e04a99889c5a76ffe3a5aa149116199be8


Detailed log of new commits:

Author: abv
Date: Tue Sep 24 08:32:09 2019 +0300

    0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()
    
    Use of reference to object removed from the list after that removal is avoided

abv

2019-09-24 12:51

manager   ~0087470

Fix pushed to branch CR30993, please review. Tests passed in Jenkins job CR30993-abv; please ignore failure reported on Products - it is due to another issue (#30994).

msv

2019-09-24 15:27

developer   ~0087484

Reviewed.

bugmaster

2019-09-24 17:40

administrator   ~0087492

Combination -
OCCT branch : CR30993
master SHA - e8b2b3e04a99889c5a76ffe3a5aa149116199be8
5f5b1aed1c6e139bbd34314eca77ae7abcd8895c
Products branch : master SHA - cede13b0d79b1c3448ecd68f0db85c2a087762ad
was compiled on Linux, MacOS and Windows platforms and tested in optimize mode.

Number of compiler warnings:
No new/fixed warnings

Regressions/Differences/Improvements:
No regressions/differences

CPU differences:
Debian80-64:
OCCT
Total CPU difference: 16839.580000000045 / 16808.79000000008 [+0.18%]
Products
Total CPU difference: 10564.140000000027 / 10568.68000000004 [-0.04%]
Windows-64-VC14:
OCCT
Total CPU difference: 18266.03125 / 18298.78125 [-0.18%]
Products
Total CPU difference: 12516.46875 / 12507.671875 [+0.07%]


Image differences :
No differences that require special attention

Memory differences :
No differences that require special attention

abv

2019-10-06 08:37

manager   ~0087882

The fix is incomplete: sanitizer still reports similar errors in the same method

git

2019-10-06 23:50

administrator   ~0087893

Branch CR30993_1 has been created by abv.

SHA-1: 20f7a8bb8b835d5c033a9c3f24a86021da45aa08


Detailed log of new commits:

Author: abv
Date: Tue Sep 24 08:32:09 2019 +0300

    0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()
    
    Use of reference to object removed from the list after that removal is avoided

abv

2019-10-07 13:45

manager   ~0087900

Completed fix is pushed to CR30993_1 (on top of the branch with other sanitizing fixes) and tested, see Jenkins job CR30993-abv. Please review again

msv

2019-10-08 17:11

developer   ~0087949

Reviewed.

git

2019-10-23 11:51

administrator   ~0088467

Branch CR30993 has been deleted by kgv.

SHA-1: e8b2b3e04a99889c5a76ffe3a5aa149116199be8

git

2019-10-23 11:51

administrator   ~0088468

Branch CR30993_1 has been deleted by kgv.

SHA-1: 20f7a8bb8b835d5c033a9c3f24a86021da45aa08

Related Changesets

occt: master c275673d

2019-09-24 05:32:09

abv


Committer: abv Details Diff		 0030993: Modeling Algorithms - heap-use-after-free reported by Clang address sanitizer in BRepFeat_MakeRevolutionForm::Perform()

Use of reference to object removed from the list after that removal is avoided		 Affected Issues
0030993
mod - src/BRepFeat/BRepFeat_MakeRevolutionForm.cxx Diff File

Issue History

Date Modified Username Field Change
2019-09-24 08:32 abv New Issue
2019-09-24 08:32 abv Assigned To => msv
2019-09-24 08:32 abv Relationship added child of 0030557
2019-09-24 08:35 git Note Added: 0087459
2019-09-24 12:51 abv Note Added: 0087470
2019-09-24 12:51 abv Status new => resolved
2019-09-24 12:51 abv Target Version 7.5.0 => 7.4.0
2019-09-24 15:27 msv Note Added: 0087484
2019-09-24 15:27 msv Assigned To msv => bugmaster
2019-09-24 15:27 msv Status resolved => reviewed
2019-09-24 17:40 bugmaster Test case number => Not required
2019-09-24 17:40 bugmaster Note Added: 0087492
2019-09-24 17:40 bugmaster Status reviewed => tested
2019-09-29 12:29 bugmaster Target Version 7.4.0 => 7.5.0
2019-10-06 08:37 abv Note Added: 0087882
2019-10-06 08:37 abv Assigned To bugmaster => abv
2019-10-06 08:37 abv Status tested => assigned
2019-10-06 23:50 git Note Added: 0087893
2019-10-07 13:45 abv Note Added: 0087900
2019-10-07 13:45 abv Assigned To abv => msv
2019-10-07 13:45 abv Status assigned => resolved
2019-10-07 13:45 abv Steps to Reproduce Updated
2019-10-08 17:11 msv Note Added: 0087949
2019-10-08 17:11 msv Assigned To msv => bugmaster
2019-10-08 17:11 msv Status resolved => reviewed
2019-10-23 01:07 abv Changeset attached => occt master c275673d
2019-10-23 01:07 abv Assigned To bugmaster => abv
2019-10-23 01:07 abv Status reviewed => verified
2019-10-23 01:07 abv Resolution open => fixed
2019-10-23 11:51 git Note Added: 0088467
2019-10-23 11:51 git Note Added: 0088468
2020-12-02 16:40 emo Fixed in Version => 7.5.0
2020-12-02 17:12 emo Status verified => closed